Overview

This document is meant to provide information to help customers conduct data transfer impact assessments in connection with their use of Mocha products, in light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board.

This document describes the legal regimes applicable to Mocha in the US, the safeguards Mocha puts in place in connection with transfers of customer personal data from the European Economic Area ("Europe"), and Mocha's ability to comply with its obligations as "data importer" under the Standard Contractual Clauses ("SCCs").

For more details about Mocha’s GDPR compliance program, you can visit out please visit our Trust Center.

About the Transfer

Where Mocha processes personal data governed by European data protection laws as a data controller, we comply with our obligations under the Data Processing Addendum with you ("DPA"). When the customer is a European entity our DPA is deemed to incorporate the SCCs and provides the following information:

• description of Mocha’s processing of customer personal data (Exhibit A); and

• description of Mocha’s technical and organizational measures (Exhibit B)

Please refer to Exhibit A to the DPA for information on the nature of Mocha's processing activities in connection with the provision of our Ad Tech (Supply and Demand) Agreements, the types of customer personal data we process and transfer, and the categories of data subjects.

Identify the Safeguards on Which We Rely

Where personal data originating from Europe is transferred to Mocha, we rely upon the European Commission's SCCs to provide an appropriate safeguard for the transfer. To review Mocha’s Data Processing Addendum and applicable SSCs please visit https://www.mocha.global/trust-center.

Assess Whether the Transfer Tool Relied Upon Is Effective in Light of the Circumstances of the Transfer

U.S. Surveillance Laws

FISA 702 and Executive Order 12333

The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:

FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. This information gathering must be approved by the Foreign Intelligence Surveillance Court in Washington, DC. In-scope providers subject FISA 702 are electronic communication service providers ("ECSP")  within the meaning of 50 U.S.C § 1881(b)(4), which can include remote computing service providers ("RCSP"), as defined under 18 U.S.C. § 2510 and 18 U.S.C. § 2711.

Executive Order 12333 ("EO 12333") - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside of the US. In particular, it provides authority for US intelligence agencies to collect foreign "signals intelligence" information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers, but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.

Further information about these US surveillance laws can be found in the U.S. Privacy  Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S .Data Transfers after  Schrems II whitepaper from September 2020. This document details the limits and safeguards pertaining to US public authority access to data and was issued in response to the Schrems II ruling.

Regarding FISA 702 the whitepaper notes:

• For most companies, the concerns about national security access to company data highlighted by Schrems II are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”

• There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.

Regarding Executive Order 12333 the whitepaper notes:

• EO 12333 does not on its own “authorize the U.S. government to require any company or person to disclose data.” Instead, EO 12333 must rely on a statute, such as FISA 702 to collect data.

• Bulk data collection, the type of data collection at issue in Schrems II, is expressly prohibited under EO 12333.

CLOUD Act

For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance outlining the scope of the CLOUD Act.

The whitepaper notes:

• The CLOUD Act only permits U.S. government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.

• The CLOUD Act does not allow U.S. government access to national security investigations, and it does not permit bulk surveillance.

Is Mocha subject to FISA 702 or EO 12333?

Mocha, like most US-based IT service provider companies, could be subject to FISA 702 where it is deemed to be an RCSP. However, Mocha does not process personal data that is likely to be of interest to US intelligence agencies.

What is our experience dealing with government access requests?

Therefore, while Mocha can technically be subject to the surveillance laws identified in Schrems II we have not been subject to these types of requests in our day-to-day business operations.

Taken together, we think it is highly unlikely that any of the features of U.S. law that the Schrems II court was worried about would apply to Datadog’s processing of your Personal Data as part of our provision of the Services.

Technical, contractual, and organizational measures applied to protect the transferred data

Mocha employs the following technical measures to secure personal data:

Security and certifications: Additional information about our security practices and certifications are available in Annex II of the Data Processing Addendum and on our Trust Center.

Technical measures: We are contractually obligated to have in place appropriate technical and organizational measures to safeguard personal data (both under the Data Processing Addendum as well as the SCCs we enter into with customers, service providers, and between entities with the Mocha group).

Transparency: We are obligated under the SCCs to notify our customers in the event it is made subject to a request for government access to customer personal data from a government authority.

Actions to challenge access: Under the SCCs, we are obligated to review the legality of government authority access requests and challenge such requests where they are unlawful.

Our organizational measures to secure customer data include:

• Government requests. As outlined above, we have not received any disclosure requests from the U.S. government, including requests for access under FISA 702. Should we ever receive such a request, we will review the legality of government access requests and challenge such requests where they are considered to be unlawful.

• Incident response and business continuity planning. We have a detailed incident response plan and a dedicated incident response team that guides our investigation and mitigation of any identified or potential breach.

• Data Protection Officer. We have an appointed a Data Protection Officer.

• Confidentiality obligations. All of our employees are required to sign confidentiality agreements, where local law allows.

• Access controls. We enforce strict access controls to ensure that the only people who have access to personal data are those that absolutely need it to perform their job functions.

• Employee training. We provide privacy and security training to all of our relevant employees As a result, our employees are always kept up to date on security and privacy best practices.

• Privacy by design. In order to ensure that all of our Services are built with privacy in mind, we make sure that data protection reviews and considerations are explicitly included in the product design life cycle.

This document is for informational purposes only the responsibilities and liabilities of Mocha are set in our commercial agreement, and this document is not part of, nor does it modify, any agreement between Mocha and its customers.